Facebook Scammers Create Fake Profiles to Spam Users, Click-Jacking

Scammers are using automated techniques to generate tons of fake profiles to trick users into joining scams and clicking on malicious links, Barracuda Networks found.

CANCUN, MEXICO  Cyber-crooks on Facebook are creating fake
profiles on the social networking site to launch their scams, according to data
released by Barracuda Networks.
The fake profiles are overwhelmingly women. About 97 percent
of the fake profiles collected by Barracuda Networks turned out to be of women,
Paul Judge, chief research officer at Barracuda said in his
"FakeBook" presentation at the Kaspersky Lab Security Analyst Summit
Feb. 2. Female users account for about 40 percent of real people on Facebook,
Judge said.

Many of the profiles are automatically generated, using
similar photos, and randomly selecting metropolitan cities, a high school or
college near the city and random interests, Judge said. The profiles are aimed
at spreading spam or tricking users into joining affiliate programs, all of
which translate into real-world money for the scammers.

"Fake users can take over your account, spam your wall
and feeds," Judge said.
Judge wasn't exaggerating the possibility of account
takeovers. Facebook implemented its Trusted
Friends feature in October, where users who can't log into their accounts
can ask Facebook to send the unlock code to three of their friends. If the user
has accepted enough fake profiles as friends, all the attacker has to do is
find three photos of the fakes and get the code to enter the account, Judge
said.
The spam and affiliate programs are much more common. For
example, users may think an ad campaign for Starbucks gift cards, or $250 from
Outback may be real and click on those "deals," Judge said. People
get excited by these offers and don't stop to think about why that brand is
offering them something for free, Judge said. And scammers get paid for every
click.
Barracuda has built a tool capable of crawling Facebook
user pages to identify fake profiles, Judge said. There is also a plug-in in
the works so that users can preview Friend requests before accepting. The
ProfileProtector tool is available for both Facebook and Twitter users.
How can the typical Facebook user tell whether that friend
request is coming from a breathing human or if it is a fake profile? There are
certain red flags. Apparently 58 percent of fake Facebook accounts say they are
"interested in" both men and women, while those accounts make up only
6 percent of the real accounts, according to data collected by Barracuda. Phony
profiles also tend to have a large number of friends, averaging 726 Facebook
friends, when real users generally have about 130. Nearly 70 percent of the
fakes claim a college education when in actuality, 40 percent of legitimate
users on Facebook have.
Fake friends rarely update beyond uploading photos, which
they go crazy tagging. Fake profiles on average tag 30 people per photo
uploaded, which is a dramatic contrast to one tag per every four photos
uploaded by real users. Nearly half, or 43 percent, have never updated their
Facebook statuses, while only 15 percent of real Facebook users can claim the
same. They also tend to list little to no interests, and if they do, they are
often close together alphabetically, like three musical groups starting with
the letter 'A,' Judge said.
Interestingly, fake profiles are often clustered near
metropolitan cities, such as New York City and Los Angeles. According to a heat
map provided by Judge, there is a bit of a tendency for the fake profiles to be
located on the East Coast.
Despite the fact that a majority of the profiles are women,
it is too early to tell whether the attackers are specifically targeting men,
Judge said. Recent studies have shown that men are more likely to accept friend
requests from women they don't know, than women accepting requests from men
they don't know.